Academics Launch Rowhammer Attacks Using Network Cards

In an academic paper published last week, researchers from Vrije Universiteit Amsterdam and the University of Cyprus demonstrated how to exploit the Rowhammer memory-chip weakness using only network packets sent across a local area network.

Until this publication, Rowhammer exploits necessitated the execution of code on targeted machines, meaning that attackers either had to sneak the unprivileged code onto their targets or find a way to draw users to a website on which they would be persuaded to download malicious JavaScript. The new research revealed that standard packets sent over RDMA-enabled (remote direct memory access) networks – increasingly used in clouds and data centers – will allow hackers to send specially designed packets in quick succession, making Rowhammer attacks easier and much more straightforward to launch. The researchers named the new attack method Throwhammer.

“Thus far, Rowhammer has been commonly perceived as a dangerous hardware bug that allows attackers capable of executing code on a machine to escalate their privileges,” the researchers wrote. “In this paper, we have shown that Rowhammer is much more dangerous and also allows for remote attacks in practical settings. We show that even at relatively modest network speeds of 10Gbps, it is possible to flip bits in a victim machine from across the network.”

The Rowhammer hardware vulnerability has recently been demonstrated to pose an increasing threat to system security. However, they have previously not progressed past local privilege escalations or sandbox escapes. Today’s networks are becoming increasingly fast, allowing attackers to use bit flips induced by network traffic to compromise a remote server application i.e. they rapidly pound the same row of memory repeatedly.

The researchers say that their demonstration is the first reported case (to their knowledge) of a Rowhammer attack occurring over the network rather than locally. They were able to remotely flip bits using a commodity 10 Gbps network. They relied upon the typically deployed RDMA technology in clouds and data centers to allow them to rapidly read from remote DMA buffers, which cause Rowhammer corruptions outside these untrusted buffers. The corruptions allowed them to compromise a remote memcached server without relying on any software bug.

As workloads migrate to the cloud in increasing numbers, data is being centralized in large installations, which have access to, and can sustain 10GigE transfer rates. According to the Dutch and Cyprian teams, Rowhammer attacks can be launched using a commodity 10Gbps network and RDMA. Networks such as these are increasingly used in corporations, universities and other organizations that require low latency and high speed.

The team of researchers point out that existing Rowhammer defences are not strong enough to guard against these kinds of attacks. However, if “guard zones” are constructed around the memory space allocated for DMA buffers, Rowhammer attacks can be prevented.